Archive

For those of you not familiar with Healthy Paranoia, it is an excellent podcast on PacketPushers, hosted by the wonderful and brilliant Mrs Y. Check out some of the shows on which Joe had the pleasure of being a guest:

Healthy Paranoia Show 13: To CISSP, or Not to CISSP takes on the question of “the profound problem of security certifications.

Rate this:

For the last year, I have been reading many books about start-ups. Currently I am reading a book called “The Lean Startup: How Today’s Entrepreneurs Use Continuous Innovation to Create Radically Successful Businesses”; a book which in October 2011, debuted at #2 on the New York Times Best Seller list, with CNBC stating that it had “already [become] a must-read for any entrepreneur”.

Throughout this and other books, I see the topic of security risks and protecting customer Information ignored and dismissed.

I guess the meme IBGYBG (I’ll be gone, you’ll be gone) discussed in Thomas L. Friedman’s “Why How Matters”, The New York Times, October 14 2008, applies to the security of business systems and networks.

To paraphrase Mr. Friedman with a security spin, “We got away from the basics — from the fundamentals of prudent security, where the company or organization maintains some kind of personal responsibility for, and personal interest in, whether the person receiving the private data can actually protect it. Instead, we fell into what some people call YBG IBG security: “you’ll be gone and I’ll be gone” before the compromises happen.

What do you think B-School graduates, ‘C-Suite’ set and entrepreneur community? Am I being too hard?

Rate this:

After my posting “Cisco / Linksys leave their current customers behind”, I received a facebook post from John Brzozowski, Chief Architect (1), IPv6 and Distinguished Engineer, Comcast Corporation, and friend. He reminded me that Ming-Han Liu Hans (2), IPv6 Evangelist at D-Link(3), has been working hard to upgrade the product line, receiving the IPv6 Ready Certification (4) on many of the D-Link products.

Never heard of the IPv6 Ready Program (4)? It was created by the IPv6 Forum for the purpose of conformance and interoperability testing to increase user confidence by demonstrating that IPv6 is available now and is ready to be used. The program provides product vendors methods and tools to test their products. In addition they offer certified laboratories, which provide third party validation of a product’s conformance and interoperability.

The reason advantage to consumers and businesses to use the IPv6 Ready Program database is to avoid vendors who claim support for IPv6, but do not do so. A good example is the company ‘Billion’, which claims IPv6 support on the Wikipedia “Comparison of IPv6 support in routers”, makes a claim of support in their “Product Guide”(5), and even has an “IPv6 Support” logo (6) to convince everyone that it supports IPv6. But when looking up the IPv6 Ready Program page (7), only three products are listed, none of which are products listed in the current Billion Product Guide.

Now back to my original story. Based on the IPv6 Ready Logo Program, D-Link has over 69 IPv6 Ready Certified (8) products including:

Today I reviewed my blog entries, hosting services, domain names, videos and slides I have created for over 8 years. Once I was complete, only one thing still needed to be tested – the ability for WordPress to support IPv6. Well they failed and I needed a method to ‘proxy’ my site through an IPv6 to IPv4 infrastructure. The solution was CloudFlare, a provider that frontends IPv4-only websites allowing them to be accessible via IPv6.

The process was quick and easy, took a short time to set it up including making CloudFlare the hosting service for my domain DNS.

Upside: quick and easy

Downside:

–Turning the hosting of my domain names over to another vendor,

–IPv4-only code running under IPv6 is now vulnerable

–CloudFlare’s inability to support DNSSec.

Anyway, for the short term this seems the only solution.

Rate this:

Over the last 8 years, I have convinced several large organizations to enable an IPv6 only network, disabling IPv4 completely. The result has been a lower cost of managing the networks, as compared to organizations running dual-stack environments. Another major benefit is mitigating a vast amount of malware, command and controls channels (C&C), and Remote Access Trojans (RATS), lowering the number and cost of compromises.

I have been interested in graph theory since I worked for the railroad back in the 90’s and even further back when I was working on my degree in the 80’s. Last year, as a side project (we all seem to have them), I asked the question “Has graph theory been applied to cybersecurity”. The answer was yes. I discovered 10’s of papers, some great and some not so good, but many more then I realized existed. I also found sample code, working templates and even two commercial products.

After my IPv6 presentation was not accepted for Schmoocon 2012, I decided to present my attack graph findings at the NOVAHA ShmooCon Epilogue event. The event was great, I learned things from all of the speakers, and had many good side discussions.